xworm | eb6e34558fb8179f339e1a2e05b0e83a1c28f5621e75840507ad4c4fb6b5ac83

Analysis

max time kernel
30s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypted.exe
Size

294KB
MD5

6be3a630099930af4aa9dc65e98ec3d8
SHA1

145c029176a6b3bdef2b9a2cfa5741f4ee6a5422
SHA256

eb6e34558fb8179f339e1a2e05b0e83a1c28f5621e75840507ad4c4fb6b5ac83
SHA512

c2578257c5b64c4dc7d67b2dafff7926c0caeb017bd9482c7b46fbdc7a14e1082bd52ff77c2422360b65f7830ef142a66d8f72c211b45f5250da0aa13612501e
SSDEEP

6144:IbN7cybLr9agW1XMmOji5Qd1+D+sQjzpVrm:IB7zbLrRWajd19nnpVq

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

robert2day-54368.portmap.host:54368

Mutex

8a7Sje0orHTMqu0F

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot8029262913:AAFSJbcefH3RuCQr6aHzYrVOAKTweiR_OvoM/sendMessage?chat_id=5479981438

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1556-4-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 1556	4600	Crypted.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1556	Crypted.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1556	Crypted.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	Crypted.exe
Token: SeDebugPrivilege	1556	Crypted.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	Crypted.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83
PID 4600 wrote to memory of 1556	4600	Crypted.exe	83

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Crypted.exe.log

Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
memory/1556-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1556-7-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-8-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/1556-10-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-9-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/1556-11-0x0000000005F50000-0x0000000005F5A000-memory.dmp

Filesize
40KB

Download
memory/1556-12-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-0-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/4600-1-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/4600-2-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/4600-3-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download